Arp Cache Poisoning; Dynamic Arp Inspection - Cisco 4500M Software Manual
Software guide
Hide thumbs
Also See for 4500M:
- Command reference manual (578 pages) ,
- Hardware installation and maintenance manual (143 pages) ,
- Upgrade manual (24 pages)
Table of Contents
Advertisement
Overview of Dynamic ARP Inspection
ARP Cache Poisoning
You can attack hosts, switches, and routers connected to your Layer 2 network by "poisoning" their ARP
caches. For example, a malicious user might intercept traffic intended for other hosts on the subnet by
poisoning the ARP caches of systems connected to the subnet.
Consider the following configuration:
Figure 34-1 ARP Cache Poisoning
(IA, MA)
Hosts HA, HB, and HC are connected to the switch on interfaces A, B and C, all of which are on the
same subnet. Their IP and MAC addresses are shown in parentheses; for example, Host HA uses IP
address IA and MAC address MA. When HA needs to communicate to HB at the IP Layer, HA
broadcasts an ARP request for the MAC address associated with IB. As soon as HB receives the ARP
request, the ARP cache on HB is populated with an ARP binding for a host with the IP address IA and
a MAC address MA; for example, IP address IA is bound to MAC address MA. When HB responds, the
ARP cache on HA is populated with a binding for a host with the IP address IB and a MAC address MB.
Host HC can "poison" the ARP caches of HA and HB by broadcasting forged ARP responses with
bindings for a host with an IP address of IA (or IB) and a MAC address of MC. Hosts with poisoned
ARP caches use the MAC address MC as the destination MAC address for traffic intended for IA or IB.
This means that HC intercepts that traffic. Because HC knows the true MAC addresses associated with
IA and IB, HC can forward the intercepted traffic to those hosts using the correct MAC address as the
destination. HC has inserted itself into the traffic stream from HA to HB, the classic "man in the middle"
attack.
Dynamic ARP Inspection
To prevent ARP poisoning attacks such as the one described in the previous section, a switch must ensure
that only valid ARP requests and responses are relayed. DAI prevents these attacks by intercepting all
ARP requests and responses. Each of these intercepted packets is verified for valid MAC address to IP
address bindings before the local ARP cache is updated or the packet is forwarded to the appropriate
destination. Invalid ARP packets are dropped.
DAI determines the validity of an ARP packet based on valid MAC address to IP address bindings stored
in a trusted database. This database is built at runtime by DHCP snooping, provided that it is enabled on
the VLANs and on the switch in question. In addition, DAI can also validate ARP packets against
user-configured ARP ACLs in order to handle hosts that use statically configured IP addresses.
DAI can also be configured to drop ARP packets when the IP addresses in the packet are invalid or when
the MAC addresses in the body of the ARP packet do not match the addresses specified in the Ethernet
header.
Software Configuration Guide—Release 12.2(25)EW
34-2
A
HA
C
HC
(IC, MC)
Chapter 34
Understanding and Configuring Dynamic ARP Inspection
B
HB
(IB, MB)
OL-6696-01
Advertisement
Table of Contents
